Missing configuration for LXC containers on omap4

Bug #787749 reported by Stéphane Graber
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-ti-omap4 (Ubuntu)
Fix Released
Undecided
Andy Whitcroft
Natty
Fix Released
Undecided
Paolo Pisati

Bug Description

SRU Justification:

Impact: without these two options, lcx won't work on omap4.

Testcase:

flag@omap:~$ lxc-checkconfig

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing # CONFIG_USER_NS
Network namespace: enabled
Multiple /dev/pts instances: missing # DEVPTS_MULTIPLE_INSTANCES

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing
enabled

Fix: The attached patch enables the necessary options.

----------------------------------------------------------------------------------------------------------------------------------------

The following configuration required for LXC is currently missing for linux-ti-omap4:
 - CONFIG_USER_NS
 - DEVPTS_MULTIPLE_INSTANCES
 - CONFIG_SECURITY_FILE_CAPABILITIES

These are at the least the obvious ones as reported by "lxc-checkconfig".

Below is the output on ARM and on x86:

stgraber@castiana:~/Desktop$ CONFIG=/home/stgraber/.cache/.fr-2ObRP4/boot/config-2.6.38-1209-omap4 lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing CONFIG_USER_NS
Network namespace: enabled
Multiple /dev/pts instances: missing DEVPTS_MULTIPLE_INSTANCES

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing CONFIG_SECURITY_FILE_CAPABILITIES
enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

stgraber@castiana:~/Desktop$ lxc-checkconfig
Kernel config /proc/config.gz not found, looking in other places...
Found kernel config file /boot/config-2.6.39-2-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Revision history for this message
Stéphane Graber (stgraber) wrote :

Note that I added the missing config next to each "missing" by looking at lxc-checkconfig's code.

Paolo Pisati (p-pisati)
Changed in linux-ti-omap4 (Ubuntu):
assignee: nobody → Paolo Pisati (p-pisati)
Tim Gardner (timg-tpi)
Changed in linux-ti-omap4 (Ubuntu):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Natty):
status: New → Fix Committed
assignee: nobody → Paolo Pisati (p-pisati)
Changed in linux-ti-omap4 (Ubuntu):
assignee: Paolo Pisati (p-pisati) → nobody
Revision history for this message
Paolo Pisati (p-pisati) wrote :
description: updated
Revision history for this message
Paolo Pisati (p-pisati) wrote :

with regards to the last option - CONFIG_SECURITY_FILE_CAPABILITIES - that has been deprecated since 2.6.33, and userland should be patched appropriately:

http://<email address hidden>/msg00123.html

Andy Whitcroft (apw)
Changed in linux-ti-omap4 (Ubuntu):
status: Invalid → Fix Released
Andy Whitcroft (apw)
Changed in linux-ti-omap4 (Ubuntu):
status: Fix Released → Fix Committed
assignee: nobody → Andy Whitcroft (apw)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-ti-omap4 - 3.0.0-1200.3

---------------
linux-ti-omap4 (3.0.0-1200.3) oneiric; urgency=low

  [ Andy Whitcroft ]

  * [Config] enable CONFIG_ISCSI_BOOT_SYSFS=m & CONFIG_ISCSI_TCP=m
    - LP: #820349
  * [Config] Turn on CONFIG_USER_NS and DEVPTS_MULTIPLE_INSTANCES.
    - LP: #787749

  [ John Johansen ]

  * [Config] Enable missing IPv6 options

  [ Tim Gardner ]

  * [Config] Enabled some IPSEC config options
    - LP: #818548
 -- Andy Whitcroft <email address hidden> Wed, 10 Aug 2011 21:33:29 +0100

Changed in linux-ti-omap4 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Herton R. Krzesinski (herton) wrote :

This bug is awaiting verification that the linux-ti-omap4 2.6.38-1209.15 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-natty' to 'verification-done-natty'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-natty
Revision history for this message
Herton R. Krzesinski (herton) wrote :

Everything looks ok with 2.6.38-1209.15 release:

======================================
$ wget 'http://ports.ubuntu.com/pool/main/l/linux-ti-omap4/linux-image-2.6.38-1208-omap4_2.6.38-1208.11_armel.deb'
..
$ dpkg-deb -x linux-image-2.6.38-1208-omap4_2.6.38-1208.11_armel.deb .
$ CONFIG=./boot/config-2.6.38-1208-omap4 lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: missing

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing
enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

$ wget 'http://ports.ubuntu.com/pool/main/l/linux-ti-omap4/linux-image-2.6.38-1209-omap4_2.6.38-1209.15_armel.deb'
...
$ dpkg-deb -x linux-image-2.6.38-1209-omap4_2.6.38-1209.15_armel.deb .
$ CONFIG=./boot/config-2.6.38-1209-omap4 lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing
enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
======================================

Just ignoring the File capabilities: missing though, due to what was stated in comment #3

Marking as verified.

tags: added: verification-done-natty
removed: verification-needed-natty
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (38.0 KiB)

This bug was fixed in the package linux-ti-omap4 - 2.6.38-1209.15

---------------
linux-ti-omap4 (2.6.38-1209.15) natty-proposed; urgency=low

  * Release tracking bug
    - LP: #837761

  [ Paolo Pisati ]

  * [Config] Turn on CONFIG_USER_NS and DEVPTS_MULTIPLE_INSTANCES.
    - LP: #787749

  [ Tim Gardner ]

  * [Config] Add enic/fnic to nic-modules udeb, CVE-2011-1020
    - LP: #801610

  [ Upstream Kernel Changes ]

  * mpt2sas: prevent heap overflows and unchecked reads
    - LP: #780546
  * agp: fix arbitrary kernel memory writes
    - LP: #775809
  * can: add missing socket check in can/raw release
    - LP: #780546
  * agp: fix OOM and buffer overflow
    - LP: #775809
  * bonding: Incorrect TX queue offset, CVE-2011-1581
    - LP: #792312
    - CVE-2011-1581
  * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel
    oops
    - LP: #795418
    - CVE-2011-1577
  * can: Add missing socket check in can/bcm release.
    - LP: #796502
    - CVE-2011-1598
  * USB: ehci: remove structure packing from ehci_def
    - LP: #791552
  * taskstats: don't allow duplicate entries in listener mode,
    CVE-2011-2484
    - LP: #806390
    - CVE-2011-2484
  * ext4: init timer earlier to avoid a kernel panic in __save_error_info,
    CVE-2011-2493
    - LP: #806929
    - CVE-2011-2493
  * dccp: handle invalid feature options length, CVE-2011-1770
    - LP: #806375
    - CVE-2011-1770
  * pagemap: close races with suid execve, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * report errors in /proc/*/*map* sanely, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * close race in /proc/*/environ, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * auxv: require the target to be tracable (or yourself), CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * deal with races in /proc/*/{syscall, stack, personality}, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493
    - LP: #816550
    - CVE-2011-1493
  * GFS2: make sure fallocate bytes is a multiple of blksize, CVE-2011-2689
    - LP: #819572
    - CVE-2011-2689
  * Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
    - LP: #819569
    - CVE-2011-2492
  * Add mount option to check uid of device being mounted = expect uid,
    CVE-2011-1833
    - LP: #732628
    - CVE-2011-1833
  * ipv6: make fragment identifications less predictable, CVE-2011-2699
    - LP: #827685
    - CVE-2011-2699
  * perf: Fix software event overflow, CVE-2011-2918
    - LP: #834121
    - CVE-2011-2918
  * proc: fix oops on invalid /proc/<pid>/maps access, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020

linux-ti-omap4 (2.6.38-1209.13) natty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #772381

  [ Brad Figg ]

  * Ubuntu-2.6.38-9.43

  [ Bryan Wu ]

  * merge Ubuntu-2.6.38-9.43
  * cherry-pick 6 patches from u2 of 'for-ubuntu' branch
  * [Config] Sync up configs for 2.6.38.4

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: Revert "x86, hibernate: Initialize mmu_cr4_features during boot"
    - LP: #764758

  [ Leann Ogasawara ]

  * [Config] updateconfigs for 2.6.38.4

  [ Paolo Pisati ]

  * [Conf...

Changed in linux-ti-omap4 (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.